tripwire endpoint security survival guide

8/16/2019 Tripwire Endpoint Security Survival Guide

1/40

1H

ENDPOINT

SECURITY

SURVIVALGUIDE

TW-BRESSG16

A Field Manual

for Cybersecurity

Professionals

Office of Cybersecurity Preparedness


2/40

1H

INTRODUCTION

During the past decade, attackers have demonstratedincredible creativity in adjusting to changes in the securityindustry. Each time security vendors create a new type of “lock”to protect enterprise assets and data, the criminal underground

builds a new set of lock picks in the form of malware to helpthem circumvent the new controls.

A proactive cybersecurity defense is the best strategy forprotecting your business against cyber threats. In the past,security approaches have focused on understanding attacks tostop cybercriminals from accessing corporate networks andsystems, but this approach has become less effective. EndpointDetection and Response (EDR) is a new, proactive approachthat focuses on behavior that indicates an attack is underwayrather than just indicators of compromise (IoC). In this way, ithelps you protect your network against zero-day threats and awide range of emerging threats. It also reframes the securityproblem so you’re not just focused on keeping the bad guysout. Instead, you’re also working to quickly detect intrusions,

minimize cyber attackers’ abilities and reduce the potentialdamage they can cause if they do get in. This is a subtle, butcritical, shift in strategy that works to disrupt criminal activi-ties. Even if attackers do manage to breach your network, EDRhelps make sure they leave empty-handed.


3/40

H 2

EDR relies on the deployment and active management of keysecurity controls for your business-critical assets. These con-trols provide crucial information that allows endpoint incidentsto be quickly detected, identified, monitored and handled.

This guide delves into the implementation and maturation ofeach control. It provides an overview of how to build an effec-tive EDR program through robust implementation of these sixkey controls:

1. Endpoint Discovery

2. Software Discovery 3. Vulnerability Management

4. Security Configuration Management

5. Log Management

6. Threat Detection and Response

These controls represent a consolidated security foundationthat are common across many security frameworks, and arenecessary for the implementation of an effective EDR program.This guide breaks down the implementation of each controlinto three phases that progress from the basics to a robust,mature implementation that delivers the information necessaryto support an EDR program and effectively combat cybercrime.


4/40

3H

Terms Used in This Field GuideTo help simplify the process of implementing and optimizingthe six key security controls for EDR, the guide uses the follow-ing phrases to identify each phase of implementation, brokendown into manageable steps:

BOOT CAMPThis is basic securityhygiene. Every securityprogram, regardless oftime, budget and skillset should implement atleast the basics for eachcontrol. Implementationof each control at thislevel is a prerequisite to

advanced training.

ADVANCED

TRAINING

If you have dedicatedsecurity resources thatallow you to go beyondthe basics, you shouldconsider adding theseadvanced capabilitiesfor each control in orderto improve visibility andreduce security risks.

COMBAT

READY

This term describes themost mature securityprograms, and expandsthe implementation ofeach control to providethe information andvisibility necessary tosupport a robust EDRprogram.


5/40

H 4

This field guide describes a sequential, cumulative processof implementing and improving foundational security con-trols. Keep in mind that skipping a procedure will make eachsubsequent procedure more difficult to implement—and less

effective. For example, it makes sense that building an accuratehardware and software inventory will make hardening con-figurations more effective. If you miss hardware or softwareassets in your inventory—and as a result they are not securelyconfigured—your organization’s security posture will be weaker,and subsequent controls required for an effective EDR programwill be less effective.

After you read this guide, you should be able to accuratelyevaluate your organization’s implementation of each controland understand what you need to do to improve the efficacy ofeach control.


6/40

5H

ENDPOINT DISCOVERY

You must know your hardware to defend it.

Keeping track of your endpoints is essential work that facilitates hardware and software management, license compliance,regulatory compliance and, most critically, security.

The principles of asset discovery are:

ARemoving security blind spots: It’s difficult to create acomplete picture of your enterprise network endpointsall at once, but breaking down the process into stagesmakes it more manageable. You can start with the sys-tems and processes that already exist in your organiza-tion. These inputs are likely to be spreadsheets, or some

out-of-date network diagrams, or notes stored in thedesktops or brains of your IT staff.

BStandardization now will save time later: Standards, likethe NIST Specification for Asset Identification, are usefulfor identifying endpoints using information you alreadyknow about them. With a common format you will beable to share asset information between tools and groupsthat may not “speak the same language,” such as toolsets like IT Service Management (ITSM) and SecurityInformation and Event Management (SIEM),or IT and OT.

http://csrc.nist.gov/publications/nistir/ir7693/NISTIR-7693.pdfhttp://csrc.nist.gov/publications/nistir/ir7693/NISTIR-7693.pdf


7/40

H 6

CYou really can’t get out of doing this: Before you candefend your network against an enemy, you need anaccurate picture of yourself and your environment.

While third-party management of endpoints can be anattractive option, no one knows your business and thevalue of your data and systems the way you do. One ofthe first steps an attacker targeting your network willtake is building an inventory of potential targets con-nected to your networks. Attackers do this as part of aprocess of discovering your weaknesses, because thoseare the easiest places to attack. To defend your endpoints,you need to know where your weaknesses are, so youcan fix them before the enemy uses them to attack you.There’s no way to find all of the weaknesses in your net-work if you don’t first have an accurate list of your assets.

Impediments to Discovery

These things can trip you up:

1Segregated networks: In larger organizations, endpointsare usually located across a global collection of multi-seg-mented networks, physically secured areas, and behinddata diodes that prevent unauthorized access. Applianceand cloud-based options that deploy data collectors on

remote and segmented networks can be useful for end-point discovery in segregated environments.

2Proprietary protocols: Not all networks support tra-ditional IT protocols. Some endpoints, like IndustrialInternet of Things (IIoT) devices will speak proprietaryprotocols that are not IP-based.

3Fragile as an autumn leaf: Scanning some types ofendpoints, such as IIoT devices, can result in disruptedservice. Passive discovery and asking around may bethe only ways to inventory these devices safely withoutaffecting availability or reliability.

http://www.tripwire.com/state-of-security/featured/the-industrial-internet-of-things-fueling-a-new-industrial-revolutionhttp://www.tripwire.com/state-of-security/featured/the-industrial-internet-of-things-fueling-a-new-industrial-revolutionhttp://www.tripwire.com/state-of-security/featured/the-industrial-internet-of-things-fueling-a-new-industrial-revolutionhttp://www.tripwire.com/state-of-security/featured/the-industrial-internet-of-things-fueling-a-new-industrial-revolution


8/40

7H

BOOT CAMPEstablish a baseline of your endpoints

1Collect information from existing records: Ask for allof the network maps, Excel sheets of endpoint assets,sticky notes and other odds and ends of information thatcomprise your system of record.

2Scan you network: After gathering tribal knowledgeabout what people think is on your network, it’s a good

idea to find out what’s actually on your network usingan automated discovery tool to scan it. Use a commercialproduct (e.g. Tripwire® Asset Discovery) or free network-ing tool (such as Nmap), to start mapping your network.

3Passive Discovery: Use a commercial product, such asLumeta IPSonar, or a free tool, such as Kismet, to mapthe endpoints, including wireless access points.

4Reduce your addressable IP space: Make sure your orga-nization is using the fewest number of IPs possible, andmake sure those IPs are within the private address space.

ADVANCED TRAININGRefine your endpoint asset inventory

5Use logging from DHCP: If you are using DHCP, you cancollect these logs to keep a record of the endpoint MACaddresses on your network.

6Acquiring new hardware: Endpoint inventory should

be a documented part of the business process associated

with inventory and control. Make the addition of newhardware and removal of old part of an ongoing endpointinventory process. Once per quarter, or more often ifpossible, use endpoint discovery scans to identify unau-thorized endpoints that could be a vector for attack.

https://www.tripwire.com/register/tripwire-asset-discovery-appliances-discovery-and-profiling-for-network-situational-awareness/https://nmap.org/http://www.tripwire.com/register/tripwire-ip360-with-lumeta-ipsonar-providing-unparalleled-visibility-for-vulnerability-management/https://www.kismetwireless.net/https://tools.ietf.org/html/rfc1918https://tools.ietf.org/html/rfc1918https://www.kismetwireless.net/http://www.tripwire.com/register/tripwire-ip360-with-lumeta-ipsonar-providing-unparalleled-visibility-for-vulnerability-management/https://nmap.org/https://www.tripwire.com/register/tripwire-asset-discovery-appliances-discovery-and-profiling-for-network-situational-awareness/


9/40

H 8

7Attach ownership and other meta-data: Now thatyou know which endpoints are out there, you need toknow who’s responsible for them. This can be difficult,especially when this information is not written down.

Use your security tool’s metadata capabilities to trackendpoint information such as endpoint owner, businesspurpose, risk, value and other key elements that helpidentify the business context of each asset. Identifyingthe endpoint owner is especially important in order toknow who to partner with to improve the security of theendpoint. Ideally, this information will be incorporated

across your security tools automatically using tags andrule sets derived from the configuration and profile ofeach endpoint. This approach dramatically reduces oreliminates manual data entry errors.

COMBAT READYElectrify the fences, Automate, Alert, and integrate

8Electrify the fences: Now that you’ve attached ownershipto each endpoint, you should require the owners of end-points to authenticate when using shared resources likewireless access points. This way only authorized devicesand users are allowed to use secured networks.

9Automate: Along with DHCP logs, use active and pas-sive scans to update endpoint inventory to increase theaccuracy and timeliness of data and alerts.

10Alert: Start adding alerts for unauthorized/unknowndevices so these can be quickly identified and eitherauthorized or sequestered from the network.

11Integrate: Look for ways to enhance and improve discov-ery accuracy by integrating and correlating inventorydata across ITSM, SIEM, GRC and FIM tools.


10/40

9H

SOFTWARE

DISCOVERY

You must know your software to defend it.

Keeping track of your software assets is essential for a well-runenterprise and facilitates more effective software management,license compliance and, most critically, security. Nearly everyregulatory compliance standard includes software inventory

because attackers could exploit unknown or unnecessaryapplications. In addition, the mere presence of an application

on an endpoint could be an indication of an attack.

The principles of software discovery are:

AAttackers will find the weakest parts of your attacksurfaces: The bad guys love to find a juicy unpatched

software package. Whether it’s a server running an oldversion of SSH or Apache or a laptop with 5 year oldInternet Explorer exploits are easy to find and use.

BWhat you don’t know can hurt you: In terms of licensingand security, not knowing exactly which software isused on each endpoint can be expensive. When it comestime to pay for licenses of premium software, knowing

the number of licenses you are paying for versus actuallicense usage may help you negotiate a lower mainte-nance renewal cost. Unknown or unnecessary softwareincreases security risks because these installations areeasier for attackers to misuse or exploit. If you don’t needa specific software package on an endpoint, turn it off.


11/40

H 10

CFor lack of a backup the kingdom was lost: When asystem fails-over during a planned outage, having anidentical system to pick up the tasks is critical. Part of acomprehensive software inventory process is identifying

backups. This makes recovery more successful and helpsminimize repair costs.

BOOT CAMPLists and authorizations

1Build a complete list: You can use an endpoint asset dis-covery or vulnerability management tool (like TripwireAsset Discovery or Tripwire IP360™), Excel or a freedatabase to document authorized software packages oneach type of endpoint.

2

Scan you network: The same tools used for endpoint

discovery apply here. You can use a commercial product,such as Tripwire Asset Discovery, or a free networkingtool, such as Nmap, to identify open ports and services.

3Roles endpoints play: A server usually doesn’t needMicrosoft Word, a workstation shouldn’t be runninga Web server, and accounting probably doesn’t needVisio. For each department and business unit there

should be a list of authorized software for each typeof hardware device.

4In security, less is more: “Perfection is achieved notwhen there is nothing more to add, but when there isnothing left to take away.” Reducing the number ofauthorized applications will make it easier to protectthe remaining authorized software. Fewer software

applications also mean there are fewer holes an attackercan squeeze through. There’s also less software to patch,protect and monitor, which reduces resource require-ments and false alarms.

https://www.tripwire.com/register/tripwire-asset-discovery-appliances-discovery-and-profiling-for-network-situational-awareness/https://www.tripwire.com/register/tripwire-asset-discovery-appliances-discovery-and-profiling-for-network-situational-awareness/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/https://www.tripwire.com/register/tripwire-asset-discovery-appliances-discovery-and-profiling-for-network-situational-awareness/https://www.tripwire.com/register/tripwire-asset-discovery-appliances-discovery-and-profiling-for-network-situational-awareness/http://lifehacker.com/5962245/perfection-is-achieved-not-when-there-is-nothing-more-to-add-but-when-there-is-nothing-left-to-take-awayhttp://lifehacker.com/5962245/perfection-is-achieved-not-when-there-is-nothing-more-to-add-but-when-there-is-nothing-left-to-take-awayhttps://www.tripwire.com/register/tripwire-asset-discovery-appliances-discovery-and-profiling-for-network-situational-awareness/https://www.tripwire.com/register/tripwire-asset-discovery-appliances-discovery-and-profiling-for-network-situational-awareness/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/https://www.tripwire.com/register/tripwire-asset-discovery-appliances-discovery-and-profiling-for-network-situational-awareness/https://www.tripwire.com/register/tripwire-asset-discovery-appliances-discovery-and-profiling-for-network-situational-awareness/


12/40

11H

ADVANCED TRAININGSecure those systems

5File integrity monitoring and security configurationmanagement: Now that you have an accurate list of allthe endpoints you have and the software applicationsthey’re running, the next step is to make sure they onlychange as authorized. To achieve this, you’ll need to mon-itor endpoints to ensure the integrity of configurationsand reduce “drift” from known good states. Catching and

remediating unauthorized changes will maintain andimprove your security posture and help identify a breachquickly. Products like Tripwire Enterprise have evolvedto meet these needs by going beyond basic file integritymonitoring by including advanced capabilities like autoremediation and detailed change histories, along withthe appropriate context/feeds necessary to differentiate

good from bad change.

6Whitelist profile: An unauthorized port is a policy viola-tion at best and an IoC at worst. Tripwire Enterprise canidentify ports and services running on endpoints andmonitor for unauthorized port usage. You can also triggerautomatic alerts and remediation when an unauthorizedservice is present or running.

7Exception handling: Every business or mission has somelegacy applications and one-off proprietary items that aremore difficult to secure. The owners of these endpointsmay have access to critical information about theirpurpose and configuration, as well as the authenticationand privileges needed to access them or make changesin an emergency. Make sure you know who owns these

assets and how they are handled during audits. It’s alsocrucial to identify the mitigating controls that can beused to secure them.

http://www.tripwire.com/it-security-software/scm/tripwire-enterprise/http://www.tripwire.com/register/tripwire-whitelist-profiler/http://www.tripwire.com/register/tripwire-whitelist-profiler/http://www.tripwire.com/it-security-software/scm/tripwire-enterprise/


13/40

H 12

COMBAT READYElectrify the fences, automate, alert, and integrate

8Electrify the fences: Now that you know what should berunning on each asset type, you can start identifyingunauthorized applications. Just as with ports, unautho-rized apps are a policy violation at best and an IoC atworst, so it’s important to find them quickly. When yourendpoint detection solution identifies an unauthorizedapplication, it’s important to investigate because it may

be part of a breach. The good news: once you define“authorized” software applications, it’s much easier todefine “unauthorized” through process of elimination.

9Automate: Your environment isn’t static. You need toupdate your endpoint software inventory regularly usingfile integrity monitoring and whitelist profiling to keepit accurate. It’s also smart to make sure old software is

decommissioned and new software is carefully vetted toensure compatibility and compliance with your policies.As your organization evolves, your endpoint populationwill change. These shifts need to be incorporated intoa baseline that represents “known good” devices andconfigurations, which will help you identify “known bad”ones.

10Alert: Start adding alerts when unauthorized software isfound in your environment. Gateways, such as Palo AltoNetworks’ next-generation firewalls, can identify appli-cations in use across gateways. Tripwire IP360 is excel-lent at inventorying applications installed on endpoints.

11Integrate: Once you have individual security tools work-ing reliably, look for ways to expand integration across

your security stack. Integration across ITSM, SIEM, GRCand FIM can automate workflows, saving valuable timeand resources. Integration can also make it possible tocorrelate information between security controls. Thisimproves accuracy and timeliness of the informationnecessary to detect and respond to threats.

http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/


14/40

13H

VULNERABILITY MANAGEMENT

Vulnerabilities and exposures are your enemy’s allies.

Attackers benefit from the same innovations that drive digital business: automation, crowdsourcing, low cost cloud comput-ing resources, big data, mobile, and social networks. All of theseinnovations can also be used to attack you. Worse, an attacker

only needs to be successful once through any attack vector;meanwhile, you must remain ever vigilant. Somewhere, inthe tangle of interconnected hardware and software packagesrunning on your networks, are vulnerabilities that can beexploited given enough time and effort. Managing those riskscontinuously and in a timely fashion is crucial to security.

You may also face another challenge if your board of directorsdoes not “get” security and has difficulty understanding theconnection between risk reduction and vulnerability manage-ment. You will need to communicate your efforts in terms ofrisk reduction and potential impacts of breaches avoided.

The principles of vulnerability management are:

AHighest risks first: You need to work toward continuousvulnerability scans. They will provide you with up-to-date scan results from all the endpoints identified inendpoint and software discovery. These scans will find


15/40

H 14

and prioritize all the vulnerabilities across your network.Once located, you will be tasked with remediating theriskiest vulnerabilities quickly

BAttackers are looking for the same things you are: Theyhave access to myriad resources, and all they need todo is find a single vulnerability that can be exploited toget in. You must plug holes continuously to reduce yourattack surface and limit security risk.

CFix vulnerabilities that jeopardize the mission: CVSSprovides a useful mechanism for prioritizing vulnerabil-

ities in a standard way that is easily understood betweendifferent people, departments and organizations.Advanced vulnerability management tools, like TripwireIP360, include more granular scoring mechanisms thatprovide predictive “heat map” capabilities. These toolsidentify areas of highest risk on your network. Theseare the places where a successful attack is most likely to

disrupt business or operations.

BOOT CAMPScans and more scans

1

Scan frequency: Run vulnerability scanning tools

against all inventoried systems to identify endpointweaknesses that could be leveraged during an attack.While many organizations strive for continuous scan-ning, significant investments in scanning infrastructuremay be required to complete assessments within scanwindows. Also, remember that human resources arerequired to respond to the findings.

Choose a scan frequency target that is realistic basedon the resources available to you. For example, weeklyassessments may be a stretch goal for one organization,

but not frequent enough for another. You may also wantto increase the frequency of scans on more criticalendpoints or Internet-facing systems.

http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/


16/40

15H

Prioritize the findings from your scans and deliverthem to the system owners, summarizing the findingsfor management. Include risk scores to quantify risk

severity and prioritize remediation based on criticality.Tripwire IP360 is an excellent product for internalassessment, and Tripwire PureCloud is very effectivefor assessing Internet-facing endpoints, as granularscoring based on business context information is a keydeliverable.

2Patch, harden, repeat: Obviously, identifying theseissues is only useful if you are fixing them. Some issueswill be addressed using a patch management businessprocess, and others will require a mitigating control orconfiguration change. Regardless, this will be a continu-ous process.

3

Report cards: Continuous scans will allow you to quickly

identify trends in the data that will indicate how wellyour vulnerably management program is performing, aswell as where risk is increasing or decreasing. They willalso help justify resource allocation. Communicate all ofthese things in your reports. Tripwire’s reporting prod-ucts generate risk report cards to help illustrate securityposture trends.

ADVANCED TRAININGDevelop your security intelligence

4Security intelligence sources: Just like you, attackersare looking for ways to make their job easier and domore with fewer resources. The availability of attack kitsand frameworks can make it easier for attackers to gainaccess to your network by automating complex pro-cesses. These tools allow less skilled attackers to executesuccessful attacks. Therefore, your vulnerability risksmay increase as new automated attacks become available.

http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/purecloud-enterprise/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/purecloud-enterprise/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/


17/40

H 16

Subscribe to vendors who provide frequent updates topolicy content, device and application detection andvulnerability detection rules. Leverage informationregarding exploit kit availability and potential impact to

prioritize investigation and response, especially in placeswhere an attack is most likely to occur or will cause themost disruption

5Do deeper scans: Perform scans in authenticated modeeither with an agent or by providing your scanner withadministrative credentials. Credentialed assessments

take longer to run than uncredentialed assessments, butthe additional information that is gathered dramaticallyimproves discovery and assessment accuracy.

6Use your SIEM with Network Intrusion PreventionSystem (NIPS) logs: One of the core use cases behindthe development of correlation engines is the need tocorrelate the vulnerabilities on an endpoint with active

exploits on a network. Combining information frommultiple sources increases the usefulness and accuracyof the information. Take advantage of this technology

by bringing your scan information and the logs fromyour network intrusion prevention systems into your logmanagement tool. Tripwire Log Center and its integra-tion with Tripwire IP360 and Cisco FirePOWER NGIPS is an example of this technology in action.

http://www.tripwire.com/it-security-software/tripwire-log-center/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/http://www.cisco.com/c/en/us/products/security/ngips/index.htmlhttp://www.cisco.com/c/en/us/products/security/ngips/index.htmlhttp://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/http://www.tripwire.com/it-security-software/tripwire-log-center/


18/40

17H

COMBAT READYAutomate, Alert, Integrate

7Automate patching: Where possible, deploy automatedpatching software to keep system software up to date.Manual efforts will not scale in most organizations dueto the explosive growth in the number of vulnerabilitiesand the endpoints they impact.

8

Limit time frames of scans and alert on discrepancies:

You can detect unwanted reconnaissance by definingthe times of day when authorized access is allowed and

by looking for it in events of interest that occur outsidenormal business hours in your SIEM or log manager.Tripwire Log Center can help with this type of behavioraldetection.

9

Integrate scan results into risk systems: Consolidating

risk data from multiple sources provides a more accurateview of enterprise risk, which allows you to managerisk and demonstrate improvements in security posture.GRC, network visualization and pure-play risk man-agement tools can all take a role. Consolidated risk datamakes it possible to “percolate” risk scores up to businessowners of high-risk endpoints. You should include

factors like potential exploit impact, exploitability andattack vectors in these reports. For example, data fromTripwire products integrates with a wide range of othersecurity products to automatically consolidate riskinformation.

http://www.tripwire.com/it-security-software/tripwire-log-center/http://www.tripwire.com/company/partners/technology-alliance-partner-tap-program/http://www.tripwire.com/company/partners/technology-alliance-partner-tap-program/http://www.tripwire.com/company/partners/technology-alliance-partner-tap-program/http://www.tripwire.com/company/partners/technology-alliance-partner-tap-program/http://www.tripwire.com/it-security-software/tripwire-log-center/


19/40

1WHIT: NO EDITSBEYOND THIS POINT

H 18

SECURITY

CONFIGURATION MANAGEMENT

Default configurations are built for maximum availability andrarely for security.

Hardening default configurations will mitigate many securityissues on endpoints. Further, any prescriptive compliancepolicy will already have out-of-the-box guidance on these first

steps, so this is a logical place to start.

The principles of security configuration management:

AThe right settings will evolve over time: There aremillions of ways to configure systems. The right mix

of security, availability and performance often requiresongoing adjustments, unless you standardize on a legacyplatform where that never changes. Don’t laugh — it’s aviable option.

BSecurity policy, like the endpoints, need to be reassessedperiodically: Even after you have tuned the finest config-uration settings over countless meetings, there will come

a time when the business or mission changes, softwareis updated, or new exposures are detected. Then policieswill need to be re-tuned and all endpoints checkedagainst them. This is typically done in conjunction withpreparation for annual IT audits, but it should be doneanytime there is a significant business change.

http://www.cio.com/article/2944673/security0/7-places-you-ll-be-surprised-to-learn-are-still-using-windows-xp.htmlhttp://www.cio.com/article/2944673/security0/7-places-you-ll-be-surprised-to-learn-are-still-using-windows-xp.htmlhttp://www.cio.com/article/2944673/security0/7-places-you-ll-be-surprised-to-learn-are-still-using-windows-xp.htmlhttp://www.cio.com/article/2944673/security0/7-places-you-ll-be-surprised-to-learn-are-still-using-windows-xp.html


20/40

19H

CUnnecessary services and ports are dangerous: Useapplications and services identified during softwarediscovery to start trimming back on things that aren’trequired by the business. Unneeded web servers,

unauthorized file sharing applications, media playersand unused programs are examples of applications thatshould be found and then turned off.

DUsers and their access: User credentials have becomea new target in today’s threat landscape. Hackersfrequently go after accounts and credentials that are

enabled, but not closely monitored or actively used. Sincethese accounts and credentials are legitimate, hackerscan easily evade detection because their activities appearto be part of business as usual.

Attackers use numerous techniques to steal employeecredentials so they can gain access to corporate systemsand networks. Sophisticated phishing campaigns can

trick even the most skeptical users into entering theircredentials on fraudulent websites. Advanced malwareenables cybercriminals to capture employee credentialsas they’re entered on an infected endpoint. What’s more,cybercriminals don’t even need to try to obtain corporatecredentials directly from employees. Reuse of corporatecredentials on third-party sites is so high that some

criminal groups focus on stealing login credentials fromsocial networks and other consumer websites, knowingthere’s a good chance they’ll obtain credentials that willgive them entry into corporate systems.

Another concern is disgruntled insiders. Accounts thataren’t deactivated after employees leave can be misused

by both insiders and external actors. For example, a

disgruntled terminated employee with remote accessto company systems has the potential to cause a lot ofproblems.


21/40

H 20

BOOT CAMPLeverage standardization

1Standard Operating Procedures (SOPs): Standardize aset of procedures for hardening your hardware platformsand software. The goal of these procedures is to provideenumerated settings that any system administrator canimplement. Validating your procedures against security

best practices (e.g., CIS Critical Security Controls) canalso make it easier to standardize your operating proce-

dures. All organizations have exceptions: the CEO mayinsist on using a Mac or marketing requires new editingsoftware. Make sure that exceptions to standard config-urations are noted along with ownership and an expiryperiod, after which the exception must be reviewed andreapproved.

2Use secure gold images: New systems should be rolledout with standard security settings included in masterimages. If a system is compromised, it’s often faster andeasier to replace it with a known secure image insteadof taking the time to manually remediate the endpoint.Make sure the deployment of these updated systems isticketed, so the change is documented and related infor-mation is available to system owners and responders.

3Legacy software: One of the most important consider-ations for your security posture is the selection of toolsand applications that are allowed to run in your envi-ronment. Many attacks take advantage of older vulner-abilities that may exist in the OS and/or software beingdeployed. It’s important to check the manufacturer forupdates and patches and the overall security readiness

of legacy software. Be sure to note any potential vulner-ability that may need to be mitigated using other means

besides patching. Choosing a standard set of applicationswill also allow you to detect anomalies and unauthorizedinstallations during your periodic software audits.

https://www.cisecurity.org/critical-controls/https://www.cisecurity.org/critical-controls/


22/40

21H

4Monitor “who” has access: Administrative and systemaccounts, which can be used for auditing or creatingcorrelation rules, should be carefully monitored. Set upautomatic alerts that will flag any unauthorized activity

connected with these accounts. Set policies that requireusers to change their credentials often, and test userswith unscheduled security awareness training.

5Use secure communications: Unencrypted communica-tions and credentials can be intercepted and reused byan attacker, so make sure remote protocols are secured

using strong encryption. If strong encryption isn’tavailable for your application, then you should seriouslyconsider removing it from the “authorized” list or takeother mitigating steps to harden this asset. These mightinclude isolating it from other networks and endpointsand severely restricting its access.

ADVANCED TRAININGMonitor ALL the things!

6Monitor everything for changes: Now that you’ve clearlyidentified what a secure baseline system configurationshould look like for each asset type, monitor all systemsfor changes against that baseline. Tripwire Enterprise

can make sure business-as-usual changes are automat-ically promoted, and that authorized not-business-as-usual changes are ticketed and reconciled.

7Monitoring all the things (including OT): IIoT devicescan be a challenge because OT hardware often usesproprietary protocols. Talk to your SCM vendor abouttheir capability to work with your IIoT vendors. Don’t

be surprised if monitoring of IIoT devices is achievedindirectly through IT systems (database queries, con-figuration files or command line interface at HMI) orthrough the simple expedience of event logs.

http://www.tripwire.com/it-security-software/scm/tripwire-enterprise/http://www.tripwire.com/it-security-software/scm/tripwire-enterprise/


23/40

H 22

8Set alerts for administrator accounts: Set up an alert forany time “administrator” or “root” accounts are used, aswell as to automatically link the chain of events wherethey logged in from, what account was used to get to the

system, etc. Monitor network events and trigger alertswhen bogus or blacklisted IPs are detected. Alerts shouldalso be issued on combinations of network and systemevents that could be unauthorized or indicative of acompromised system.

COMBAT READYAutomate, alert, and integrate

9Integrate to analyze: Send alerts on unauthorizedchanges to ticketing systems as incidents and to SIEMsfor security incident handling and correlation. Automatethe detection of ports and services, as well as for new users.

Since multiple, conflicting polices can apply to a par-ticular user and endpoint combination, you can alsomonitor Resultant Set of Policy (RSoP) to calculate thecumulative effect of multiple policy settings on Windowsendpoints. RSoP is the group of policy settings ineffect for a specific user. Wherever possible, reconcilethese changes automatically. Tripwire Log Center canaggregate logs from all egress points and alert when thatshould be restricted to using proxy connections but arenot are detected.

Tripwire Log Center can act as the receiving SIEM/loganalytics system and correlate events. This can help savecosts when forwarding to a SIEM product that’s licensed

based on amount of data processed.


24/40

23H

LOG MANAGEMENT

As the volume and sophistication of cyber threats increase,organizations must sift through mountains of data to detectanomalies and identify real threats.

The traditional approach of handling ever-increasing log andevent data has been to rely on basic log collection utilities orexpensive large-scale SIEM deployments.

The principles of log management are:

ALog management is a core component of endpointdetection and response. It provides convenient access todiagnostic information about events of interest, createsreports on your event data, serves as a historical catalog

of log messages and events, and enables compliancewith regulatory policies and industry standards.

BJack of all security trades: To provide these benefits,zlog management systems collect log data from operatingsystems, applications, databases, IDS/IPS and networkdevices, such as firewalls and switches.


25/40

H 24

CAnswers the question, “What happened?” It helps you

better understand your environment, detect and preventattacks. Also, malicious actors prefer to disguise theirtracks by deleting or resetting logs to hide their activity.

Detecting this is important for finding attacks.

BOOT CAMPKnow thyself

1First things first: Turn your logs on. Every criticalsystem has a log you can enable. In many cases, criticallogs aren’t enabled (by default or otherwise), so criticaldata is missing when detecting and responding toemerging cyber threats.

2Architect your log collection: Know where your log datawill be collected. In larger organizations, log data will

be collect-ed from a worldwide network of connecteddevices distributed across geographically dispersedoffices.

Creating a map and architecture of where your log dataoriginates will enable you to fine tune your log datacollection and storage architecture. During this phase,estimate the disk storage required to store “active” and

“archived” log data based on its retention time. In mostsituations, there are regulatory guidelines you mustfollow. For example, you might be required to keep“active” log data available for 90 days and to retain“archived” data for 365 days.

Your map and architecture should, at a minimum, con-

tain the locations of log data to be collected, the type oflog data, expected daily log growth, the length of time thelog data will be retained as “active” and “archived,” andwho has access to the it.


26/40

25H

3Use secondary log managers: By adding one or moresecondary log managers to your environment you candistribute log management functionality to meet yourorganization’s growing needs. The use of secondary log

managers can improve performance while also givingyou the ability to partition log data based on geography,

business unit or business function.

4Reliably collect log data: Each log contains uniquedata. When combined, the cumulative data will provideinsights into emerging cyber threats. In the event of

a breach, you will need all the endpoint data you canget your hands on: logs from network devices (such asfirewalls, switches, IDS and IPS), all operating systems,databases, applications, servers and more. The collectionprocess should ensure that if a system, device or otherasset fails, you have 100% certainty that your log data issafe.

5Centralized Storage: Because the data is easily accessi-

ble, centralized collection of logs and events is importantfor enabling fast investigations, forensics, and detectionand response to endpoint threats. Good log managementproducts like Tripwire Log Center can collect deep anddetailed log data as well as endpoint event and networkactivity information, and store that information in arepository capable of large-scale data reporting andanalytics.

Forensic investigations into how and why an incidentoccurred can benefit from a comprehensive archive oflog data and events. When an investigation is underway,it’s helpful to have log management tools that can adjustthe length of time for archives, and enable the ability to

dearchive log data for investigations or audits. It’s alsouseful to employ a tool with high levels of compression toreduce storage demands, while simultaneously protect-ing logs from alteration.


27/40

H 26

ADVANCED TRAININGIdentify and alert

6Correlation Rules: Identify emerging cyber threatswith the identification of suspicious events based oncorrelation of system changes, weak configurations andvulnerabilities. Leverage products with drag-and-dropcapabilities to quickly define and customize correlationrules for events and filter and detect anomalies, sus-picious behaviors, changes and patterns known to be

threats and IoC. In addition, you can correlate predefinedpatterns of malware behavior and exfiltration.

7Alerts: When your logs match correlation rules,advanced log management products can identify sus-picious events for quick review using trigger-specificalerts and actions. This reduces the need for specializedexpertise and resources to create correlation rules in

more complex formats.

COMBAT READYIntegrate, automate and investigate

8Integration: Integrate your log management solutionwith a security configuration management product likeTripwire Enterprise and a vulnerability managementproduct like Tripwire IP360 to provide your organizationwith additional security and business context that willhelp prioritize the most critical threats.

Integrated log management systems can use correlation

rules to detect and alert you to suspicious events thataffect the security state of your system.

http://www.tripwire.com/it-security-software/scm/tripwire-enterprise/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/http://www.tripwire.com/it-security-software/scm/tripwire-enterprise/


28/40

27H

9Combine business, security, risk and user context: Combining business and user context lets you easilymonitor assets and users that, when combined, maywarrant a closer watch. For example, you might want

to carefully monitor the highest value assets to whichcontractors have access. You can further prioritize risk

by correlating suspicious events identified by TripwireLog Center with suspicious changes detected by TripwireEnterprise and vulnerabilities identified by TripwireIP360. For example, when integrated with a vulnerabil-ity management solution like Tripwire IP360, the log

management solution will provide increased networkand threat awareness within your environment. Thiscombination of vulnerability and event informationprovides insights that enable you to identify risk andprioritize your security efforts.

10Collect and forward: To forward only relevant andactionable data to your SOC and third-party tools such

as SIEMs and threat intelligent solutions, pre-filter logdata to identify anomalies and patterns known to be IoC.Advanced log management solutions should be able tofilter and detect anomalies, suspicious behaviors andchanges and patterns based on threat and IoC data.

11Automate: Extend correlation rules to provide alertsand remediation. Identify the personnel and resourcesthat need to be notified when specific situations areidentified, and then extend the correlation to contact thepersonnel responsible to investigate and remediate thealerts. Also consider scripted responses for correlationrules that can automatically remove, mitigate or hardenyour endpoints.

http://www.tripwire.com/it-security-software/tripwire-log-center/http://www.tripwire.com/it-security-software/tripwire-log-center/http://www.tripwire.com/it-security-software/scm/tripwire-enterprise/http://www.tripwire.com/it-security-software/scm/tripwire-enterprise/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/tripwire-ip360/http://www.tripwire.com/it-security-software/scm/tripwire-enterprise/http://www.tripwire.com/it-security-software/scm/tripwire-enterprise/http://www.tripwire.com/it-security-software/tripwire-log-center/http://www.tripwire.com/it-security-software/tripwire-log-center/


29/40

H 28

THREAT

DETECTION

& RESPONSE

Advanced threats are designed to outwit traditional signa-ture-based anti-virus (AV) solutions using polymorphic andself-updating, environment-aware malware. This shouldn’t besurprising. Old school detection was developed based on a verydifferent threat landscape, one in which threats evolved muchmore slowly and were less sophisticated. Not too long ago, the

security industry just needed to know something about anattack to write a signature or rule that would protect against it.

EDR is a new approach that evolved from the realization thatthe industry can’t prevent attackers from getting in. Instead, weshould assume they will get in, so focus on real-time detectionof behavior that indicates a breach. Then, it’s important tocreate effective incident responses designed to limit damage.EDR supplements traditional, signature-based technologieswith anomaly detection and visibility across all enterpriseendpoints, not just servers and workstations.

The principles of malware detection and response are:

AFaster than a sniper’s bullet: Modern phishing attacksoccur at nearly the speed of light, and the first hit islikely to be an innocent user clicking on a maliciousattachment or URL in an email. The malware this actionunleashes can cut through security defenses.

http://labs.lastline.com/analyzing-environment-aware-malware-a-look-at-zeus-trojan-variant-called-citadel-evading-traditional-sandboxeshttp://labs.lastline.com/analyzing-environment-aware-malware-a-look-at-zeus-trojan-variant-called-citadel-evading-traditional-sandboxes


30/40

29H

BAttackers customize their attacks for your enterprise:These are targeted attacks. The attackers will use non-invasive techniques like social engineering to glean whoyour employees are and what their emails look like.

BOOT CAMPMake sure you do the basics for every endpoint

1Mind your SOPs: Earlier we discussed establishing yourSOPs. In nearly every single breach there is a detectablechange to the environment. These are the early indica-tors that an attack may be underway. Monitor applica-tions that are running, and issue alerts on new softwarethat’s accessing critical data. If your SOPs limit softwareexecutables to a whitelist, then any anomaly must beinvestigated.

Unusual user access may also indicate a compromise.Update user credentials often and test users with randomsecurity awareness training. Finally, be sure that usersare not reusing credentials outside the corporate envi-ronment to prevent someone else’s breach from becom-ing yours.

2

Run anti-virus: While AV isn’t stopping most malware

these days, it still stops some of it. Symantec admits thatAV only stops about 45% of attacks — but at least it helps.

3Run host-based firewalls/IPS: Remember when wetalked about blocking unnecessary ports and services?Do this on every endpoint by limiting the applicationsauthorized to run and the ports that may be opened.Advanced malware may still manage to find a port orprocess to hijack, but at least you’ll be making it muchmore difficult for attackers.

https://dottech.org/157355/symantec-admits-anti-virus-software-is-no-longer-effective-at-stoping-virus-attacks/https://dottech.org/157355/symantec-admits-anti-virus-software-is-no-longer-effective-at-stoping-virus-attacks/


31/40

H 30

ADVANCED TRAININGCentralize management of malware detection

4Alternatives to anti-virus: We already know that AVis not enough to thwart the most advanced attacks.Cybercriminals have also gained understanding of howAV works, and so they actively endeavor to get aroundthese protections.

Your focus should be on the possible attack vectors and

how to use the most effective protection technologiesto stop the attack. For example, many recent attacksincorporate a compromised website as a way to makefirst contact with their victim. Web filtering would be themost effective way to prevent this type of infection bypreventing accidental exposure.

Other possible alternatives include whitelisting, sandbox

containment, exploit disruption, email and web filtering,network access control (NAC), host-based intrusion pre-vention (HIPS) and even changing user passwords. Allof these tools have their place and should be consideredas part of a multi-layered, defense-in-depth approach toprotecting your most valuable endpoints.

5

Send the logs to your SIEM for correlation: At some

point you will be looking for evidence of a breach orevidence that your latest breach has been contained. Todo this, logs will need to go to a log management systemsuch as Tripwire Log Center. As an added bonus, if youcollect and analyze these logs in real time, you may beable to catch traces of activity before an attacker coverstheir tracks by deleting logs. Analytics derived fromconsolidating various logs in one place can lead you to

hidden security gems and more accurate forensics.


32/40

31H

6Make sure anti-virus is running: Make certain your AVis running with up-to-date virus definitions using itsenterprise management console. Alternatively, use asolution like Tripwire Enterprise’s Security Dashboard.

7The only good change is an approved change: If youticket and reconcile every change, then anything thatisn’t ticketed is an unauthorized change. Unauthorizedchanges are sometimes malicious and always a teachablemoment for your admins. Using this approach, malwaredetection becomes a natural byproduct of good securityconfiguration management practices

COMBAT READYIntegrate threat intelligence into your controls

8Integrate network threat intelligence with endpoint

detection: Use the integrations between TripwireEnterprise and leaders in network threat intelligence likeCheck Point Software Technologies, Palo Alto Networks,Cisco, Lastline, Blue Coat, and FireEye. These solutions

bring network and endpoint security together to makedetection and protection against advanced threats moreaccurate and timely using a three-step process. First,suspicious files on critical assets are identified. Next, the

files are sent to a threat analysis service. Finally, securitycontrols are updated based on identified threats.

9Integrate hash indicators of compromise with endpointdetection: Utilize peer and community-sourced IoChashes to gain intelligence on new and emerging threats.By leveraging STIX and TAXII standards or tailoredcommercial threat intelligence services, you will beable to look for threats that may be hiding in the blindspots of your defenses. These IOCs are automaticallydownloaded to Tripwire Enterprise, which then searchesforensics data. If a threat is detected, you get an alert andare able to drive remediation.

http://www.checkpoint.com/https://www.paloaltonetworks.com/http://www.cisco.com/http://www.lastline.com/https://www.bluecoat.com/https://www.fireeye.com/https://www.fireeye.com/https://www.bluecoat.com/http://www.lastline.com/http://www.cisco.com/https://www.paloaltonetworks.com/http://www.checkpoint.com/


33/40

H 32

10Integrate network indicators of compromise: These ven-dors, as well as many others, provide threat intelligenceabout IPs, domains and names that are known to hostmalware, command and control servers and other attack

infrastructure. Use this intelligence to modify firewallrules, IPS blocking and SIEM correlations. By correlat-ing network intelligence with other security data in bigdata solutions like Splunk, you can rapidly determinewhen your enterprise is communicating with a known

bad actor.

http://www.tripwire.com/register/tripwire-enterprise-and-splunk/http://www.tripwire.com/register/tripwire-enterprise-and-splunk/


34/40

33H

SUMMARY: ENDPOINT

SECURITY SCORECARD

Knowing how mature your organization’s EDR program is incomparison to the principles outlined in this field guide willquickly give you an idea of where additional refinements may

be necessary.

We recommend you measure your organization against theguidance in this field guide to help improve your security riskposture. Complete the following scorecard and tally the resultsto help you understand what you need to do to improve theefficacy of each control as part of your EDR program.

Give your organization a 0–3 rating for each control...

0: “We’re not doing anything.”

1: “We only do the bare minimum, usuallyfor compliance reasons.”

2: “Yes, we do this, but it’s not perfect.”

3: “We have this down to a science and areconstantly looking for ways to improve.”


35/40

H 34

CONTROL SCORE

Endpoint Discovery

Software Discovery

Vulnerability Management

Security Configuration Management

Log Management

Threat Detection and ResponseTOTAL

Your Score

0–6: Boot CampYou face a range of challenges putting together a strong EDRprogram, but don’t worry—we’ve got you covered. Here are someadditional resources:

» Read the Endpoint Detection and Response For Dummies e-book to learn about deploying and managing security for

many kinds of endpoints.

» Read the “Meeting the True Intent of File IntegrityMonitoring” white paper.

» Read the Security Configuration Management ForDummies e-book.

» Sign-up for a Tripwire SecureScan account for free vulnerability assessments.

http://www.tripwire.com/register/edr-for-dummieshttp://www.tripwire.com/register/meeting-the-true-intent-of-file-integrity-monitoringhttp://www.tripwire.com/register/meeting-the-true-intent-of-file-integrity-monitoringhttp://www.tripwire.com/scmhttp://www.tripwire.com/scmhttp://www.tripwire.com/securescanhttp://www.tripwire.com/securescanhttp://www.tripwire.com/scmhttp://www.tripwire.com/scmhttp://www.tripwire.com/register/meeting-the-true-intent-of-file-integrity-monitoringhttp://www.tripwire.com/register/meeting-the-true-intent-of-file-integrity-monitoringhttp://www.tripwire.com/register/edr-for-dummies


36/40

35H

7–12: Advanced TrainingWell done. Here are suggestions on how you can take yoursecurity programs to the next level.

» Understand why the tactics and strategies to respond tohigh-impact vulnerabilities differ from those used in othersecurity events.

» Read “Restoring Trust After a Breach: Which Systems CanI Trust?”

» Watch the video “How to Protect Against the RansomwareEpidemic.”

13–18: Combat ReadyCongratulations, you are a leader in your field, constantlylooking for ways to improve security. Here are some resourcesfor highly mature security organizations:

» Tips for taking your organization’s vulnerability manage-ment program to the next level of maturity,

» Learn about Actionable Threat Intelligence: Automated IoCMatching with Tripwire.

» Get tips for taking your organization’s vulnerability man-

agement program to the next level of maturity.

» Find metrics on how to assess the current state of your end-point security program in the “SANS – A Maturity ModelFor Endpoint Security” white paper.

http://www.tripwire.com/register/responding-to-high-impact-vulnerabilities-are-you-preparedhttp://www.tripwire.com/register/responding-to-high-impact-vulnerabilities-are-you-preparedhttp://www.tripwire.com/register/restoring-trust-after-a-breach-which-systems-can-i-trusthttp://www.tripwire.com/register/restoring-trust-after-a-breach-which-systems-can-i-trusthttp://www.tripwire.com/company/events/event-calendar/how-to-protect-against-the-ransomware-epidemichttp://www.tripwire.com/company/events/event-calendar/how-to-protect-against-the-ransomware-epidemichttp://www.tripwire.com/register/the-five-stages-of-vulnerability-management-maturityhttp://www.tripwire.com/register/the-five-stages-of-vulnerability-management-maturityhttp://www.tripwire.com/register/actionable-threat-intelligence-automated-ioc-matching-with-tripwirehttp://www.tripwire.com/register/actionable-threat-intelligence-automated-ioc-matching-with-tripwirehttp://www.tripwire.com/register/the-five-stages-of-vulnerability-management-maturityhttp://www.tripwire.com/register/the-five-stages-of-vulnerability-management-maturityhttp://www.tripwire.com/register/sans-a-maturity-model-for-endpoint-securityhttp://www.tripwire.com/register/sans-a-maturity-model-for-endpoint-securityhttp://www.tripwire.com/register/sans-a-maturity-model-for-endpoint-securityhttp://www.tripwire.com/register/sans-a-maturity-model-for-endpoint-securityhttp://www.tripwire.com/register/the-five-stages-of-vulnerability-management-maturityhttp://www.tripwire.com/register/the-five-stages-of-vulnerability-management-maturityhttp://www.tripwire.com/register/actionable-threat-intelligence-automated-ioc-matching-with-tripwirehttp://www.tripwire.com/register/actionable-threat-intelligence-automated-ioc-matching-with-tripwirehttp://www.tripwire.com/register/the-five-stages-of-vulnerability-management-maturityhttp://www.tripwire.com/register/the-five-stages-of-vulnerability-management-maturityhttp://www.tripwire.com/company/events/event-calendar/how-to-protect-against-the-ransomware-epidemichttp://www.tripwire.com/company/events/event-calendar/how-to-protect-against-the-ransomware-epidemichttp://www.tripwire.com/register/restoring-trust-after-a-breach-which-systems-can-i-trusthttp://www.tripwire.com/register/restoring-trust-after-a-breach-which-systems-can-i-trusthttp://www.tripwire.com/register/responding-to-high-impact-vulnerabilities-are-you-preparedhttp://www.tripwire.com/register/responding-to-high-impact-vulnerabilities-are-you-prepared


37/40

H 36

Learn MoreTripwire can show you how to build a holistic approachto endpoint security and strike the right balance betweenprotection and detection. To get started, check out the EDRResources page featuring videos, guides and white papersdesigned to help you with your defensive strategy.

Definitions

AlertA prioritized notification of critical security incidents

AssetAn asset is any company-owned information, system orhardware that is used in the course of business activities.

BaselineA “known-good” configuration of a device used for changecomparison to identify suspicious changes.

Business ContextSecurity metadata unique to each organization that aids infiltering and prioritizing security data.

ChangeA deviation from a known configuration that alters the state ofa device.

ConfigurationHow an endpoint is set up, including, but not limited to,registry settings, configuration files, database schemas and

permissions, group and local policies, services and portsenabled.

ContainMinimize losses and repair systems.

http://www.tripwire.com/solutions/endpoint-detection-and-response/http://www.tripwire.com/solutions/endpoint-detection-and-response/http://www.tripwire.com/solutions/endpoint-detection-and-response/http://www.tripwire.com/solutions/endpoint-detection-and-response/


38/40

37H

DetectionThe identification of security incidents using endpointmonitoring

EndpointAny device that could be targeted in an attack, or any devicethat could be used to advance an attack.

FIMFile Integrity Monitoring, a security solution that monitors keysystem files for changes.

HardeningReduces the exploit risk of a device by optimizing configurationsettings for security, including, but not limited to, disablingunnecessary services and accounts, removing unneededapplications, eliminating information exposures andremediating vulnerabilities.

IIoTIndustrial Internet of Things.

InvestigateThe process of gathering and analyzing information relatedto security incidents, including ability to drill down into

information about what changed and who changed it, as well asa launch-in-context ability to pivot between data sources.

Information Technology (IT)Technology involving the development, maintenance and useof computer systems, software and networks for the processingand distribution of data.

Operational Technology (OT)Hardware and software that detects or causes a change throughthe direct monitoring and/or control of physical devices,processes and events.


39/40

H 38

PolicyA specific set of preferred device configurations or states asdefined by a governing or regulatory authority.

RemediateMitigating steps taken to address a security issue orvulnerability.

Threat IntelligenceInformation from a third party that can be correlated withinformation you collect to detect threats.


40/40

tripwire endpoint security survival guide

Documents